Google Workspace
Cyberhaven integrates with Google Workspace (formerly GSuite) to provide visibility into Gmail activity, including sender and recipient email addresses and attachments across your organization's domains. The Google Workspace Cloud Sensor uses Google APIs to retrieve events and user information from your Google Workspace environment.
Like other cloud sensors, the Google Workspace Cloud Sensor requires elevated privileges in your Google Workspace tenant. No service accounts are required beyond the Cyberhaven service account that is authorized through domain-wide delegation by a Google Workspace administrator.
Requirements
- Admin account with rights to manage domain-wide delegation in Google Workspace.
- Ability to enable Google GSuite support from the Cyberhaven Console under Preferences > Features control.
- A valid domain to be added under Cloud Sensors > Google GSuite in the Cyberhaven Console.
- Cyberhaven service identifier (Client ID) from Cyberhaven Support, required to authorize API access.
Dependencies
The application requires the following permissions to function:
| Scope | Purpose |
|---|---|
https://www.googleapis.com/auth/admin.directory.user.readonly | Retrieves domain user metadata for accurate policy enforcement. |
https://www.googleapis.com/auth/gmail.readonly | Allows the sensor to monitor email metadata (sender, recipient, and attachments) for data movement detection. |
Network
Security exclusions
Limitations
- The Cloud Sensor tracks sender and recipient metadata and attachment details but does not read the actual email body content.
- No support for user groups or email aliases. Events may appear disconnected if sent to an alias or distribution list.
- Collaboration with Endpoint Sensors is required for DLP scanning of attachments uploaded or downloaded in the browser.